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File Type 


MRC modules are relocatable portable executable files (normally DLL files) that expose a function exported by ordinal. An Archangel MRC 
module is referred to as "fire-and-forget" (FAF) module as Archangel simply loads the module file and creates a thread that calls the exported 
function. Archangel does not directly interact with the module after it has been loaded. 


Flow of Events 

1. Archangel maps a module into a memory, performing fixups as appropriate, and recursively loads any dependencies. 

2. Archangel spawns a new thread in the injected process. 

3. This thread calls DIIMain and then the exported function as described below. 

G If DIIMain or the exported function are not present, then Archangel unloads the module. 

4. Upon the exported function's return, the module and any dependencies are unloaded. This behavior can be overridden if desired. 


Exported Function 

Definition 

An MRC module exposes an exported function with the prototype: 

// ordinal 1 

HRESULT WINAPI MRC_FireAndForget ( in LPVOXD run__arg struct); 

It is exported by ordinal only. The MRC loaders do not use the name of the function when resolving exports. 
Atypical MRC .deffile: 


LIBRARY module 


EXPORTS 


MRC_FireAndForget 

@1 NONAME 


Arguments 

An MRC fire-and-forget (FAF) module provides the ability to simply run a module with an argc/argv as if it was run from the command line. The 
module's MRC_FireAndEorget function is called and the run_arg_struct parameter points to a module remote args structure as defined 
below: 


// Ensure proper structure member alignment 
#pragma pack (push) 

Ipragma pack(l) 

/ / argument structure 

tdefine MODULE_ARGS_CMDLINE_LEN (MAX_PATH * 4) 
typedef struct _MODULE_REMOTE_ARGS 
{ 

// MRC_FI RE ANDFORGE T_HDR 

DWORD version; // Current version is 2 

LPVOID hModule; // pointer to the beginning of the module in memory 
DWORD moduleSize; // module size in memory 

// MRC_MODULE_USERARGS 

// argv [0] will be set to placeholder value for option parsing compatibility 
wchar_t cmdline [MODULE__ARGS_CMDLINE_LEN] ; 

} 

MODULE_REMOTE_ARGS , * PMODULE_REMOTE_ARGS ; 

Ipragma pack (pop) 


The module_remote_args structure is designed for future extensibility by including a version number, reported via the structure's version 
field. The current version of the structure is two (2). If the structure is modified, additional fields will be added to the end of the structure and the 
version number will be incremented. Existing fields will be retained and will remain valid for backwards compatibility with existing modules. 


Return Values 

After an FAF module's MRC_FireAndForget function returns, the loader assumes the module is done executing and will unload the module and 


If a module desires to remain loaded (e.g., a module that installs hooks in the usermode process but does not execute code itself) the 

MRC_FireAndForget function Should return the special error COde HRESULT_FROM_WIN32(ERROR_UNABLE to unload media) In this 

case the MRC module and any dependencies it triggered can no longer be unloaded and will remain in memory until the process exits. 


